Hackers Target WHO and HHS to Steal Login Credentials

A sophisticated group of hackers targeted the World Health Organization (WHO) and its partners attempting to steal login credentials to get access to its network by impersonating WHO’s internal email system. Several WHO staffers received spear-phishing emails that have URLs to a malicious site hosting a phishing kit.

Cybersecurity expert Alexander Urbelis detected the attack on March 13. Urbelis is also an attorney with Blackstone Law Group based in New York. The malicious site employed to host the bogus WHO login page had been used in other attacks on WHO employees previously.

It is uncertain who was behind the campaign, however, it is presumed to be a threat group known as DarkHotel based in South Korea. The intention of the attackers is unknown, however, Urbelis thinks that considering the exceptionally precise nature of the attack, the attackers were searching for specific credentials. DarkHotel has already carried out a number of attacks in East Asia for spying purposes. It is likely that the hackers were attempting to get access to information regarding possible treatments, potential cures, or vaccines for COVID-19.

Reuters was the first to report the story and approached WHO CISO, Flavio Aggio for even more information. Aggio stated the campaign wasn’t successful and the attackers were unable to harvest any data. Aggio affirmed the large increase in cases of targeting WHO recently. WHO has been impersonated in quite a few phishing campaigns that try to steal credentials and propagate malware. Aggio stated that attacks aimed towards impersonating WHO have increased over two times during the coronavirus pandemic.

Phishers Exploit Open Redirect on HHS Site to Install Racoon Information Stealer

Phishers were discovered to be exploiting an open redirect on the HHS website to direct visitors to a phishing website.

Open redirects are employed on websites to reroute visitors to another webpage. Open redirects may be made use of by anybody and are frequently abused by cybercriminals for their phishing strategies. URLs start with the official page of the site hosting the open redirect, and so people looking at the link may be tricked into thinking they are moving to a genuine website. They will be at first, but the ultimate destination is a phishing website.

The email utilized a COVID-19 bait and presented details concerning the coronavirus and contained a hyperlink with the text “Find and study your health symptoms. ”

Security analyst @SecSome discovered the open redirect on a subdomain of the Departmental Contracts Information System. It was employed to lead to a malicious attachment that has an lnk file that unpacks a VBS script to download the Racoon information stealer. Theft of credentials and sensitive data from 60 different apps is possible with the Racoon information stealer.